World Password Day cracking challenge

Comments

The flip side of that is that even if someone has a password solved, they may elect to hold onto it in the expectation that 1Password will increase the reward again (as it has several times in the past), thereby holding out on $10k cash now in the hopes of receiving >>$10k in the future (provided nobody else beats the astronomical odds and cracks a password).

We were worried about this when we first discussed prize increases. And so we just hinted that there might be and hoped that we are vague enough to discourage people from trying to game things that way. Also of one person has found a password, then unless they were really lucky (say only searched a tiny portion of the space before getting it) then they should know that they might not be the only ones. It would be a risky game to play.

Of course, if they co-ordinate with each other, then they can look at dividing the 1st and 2nd place prize among them. But you will notice that in our last prize increase the combined prizes for 1st and 2nd place did not double. We spread things out give larger proportional increases to 3rd and 4th place.

If 1P makes a clarification that it will never raise the rewards again, I'd wager the probability distribution (of seeing a password release over time) shrinks and moves closer to the present.

I can say with a great deal of confidence that the approximately $32,000 we are now committed to spending in prizes is as much as we want to go. All future changes will be in the form of additional hints. I expect that our second bit of hint will be released either later this month or near the beginning of October.

On the one hand, it would be nice to just release two or three additional bits of hint now to help wrap this up, but I do want to "reward" people who have been working on this from before the hints were offered, so we are dribbling out the hints more slowly.

A digression

If I can put it in Econ-101 terms, it's that even if the incentives we offer are sufficient for covering the cost of the cracking effort, there is still a larger opportunity cost that we can't realistically match.

>

You got it. If you offered $30-100k for a single solution, it would be an absolute no-brainer and the passwords would be cracked before any of us (forum users) even got the chance to see the announcement.

The fact that the price of cryptocurrencies differs so much from the cost of mining is really disappointing. If they didn't differ then we wouldn't have to be competing this way against an opportunity cost.

One of the things that I really liked about the design of these is the control of the money supply without a central bank. Mining incentives should have smoothed out the prices, making them less volatile. I would really like to see some of these actually work as an efficient medium of exchange instead of just a means for holding (speculative) value. Money needs to do both, but a highly volatile currency in which only a tiny portion of transactions are for goods and services, is a failure as a currency. Maybe someday we will get this right.

You got it. If you offered $30-100k for a single solution, it would be an absolute no-brainer and the passwords would be cracked before any of us (forum users) even got the chance to see the announcement.

I'd have to disagree. Sure, you'd have more people participating, or possibly even those who are dedicating more time/resources/etc. to attempting it, but a higher reward doesn't negate the technical challenges involved in actually cracking the password. You'd definitely have more people with massive multi-GPU rigs participating as well as those who are willing to front the costs of paying for cloud instances hoping to recoup the costs with the reward payout, but there's still a fair amount of risk playing that game as many factors from luck to pure timing could impact who would capture and submit first.

Two bit hints are now published.

See earlier discussion for both the rationale for these hints and the details of how they were generated. Now with two bits of hints you should be able to quickly eliminate three out of every four guesses.

Just a word of advice when using the hints. We are talking about the first bits of a sequence of bytes; so make sure that however you are handling your SHA256 hashes that you do not strip away leading zeros.

At least one participant ran into this problem; so I thought I would warn others.

In the process of trying to get my 2012 Mac Pro to run macOS Mojave I had to, among other things, replace the graphics card with one that fully supports Apple's [Metal 2 API]. It has been a long time since I've shopped for a video card, and so had a whole new set of things to (re)learn. What I also had to adjust was my expectation of how costly this upgrade would be.

The relevant point: Had I shopped for video cards prior to setting up this contest and seen their prices, I might not have made such a large error in my estimate of what what prizes would be necessary. I'd have had a better sense of what cryptocurrency mining has done to the market.

I take it that it would be posted here quickly if anyone had successfully cracked any of the passwords? It's amazing that more than five months into the contest it appears that no one has cracked any of them...

Is there any indication as to how many people are still active in the challenge, and what sort of equipment they are using? Unless I'm mistaken, no registration is required with Bugcrowd (unless you succeed and wish to claim a prize?) so I suppose any estimate would be based on people who have reached out to 1PW for clarification or contest-related discussion in cracking forums and such.

You are exactly right that we really don't know how many people are participating, @EnerJi. A few people have tweeted about their set ups, and some participants have posted here. But we do no really have a good sense of whether its half a dozen or dozens.

And yes. Once there is a confirmed hit, we and Bugcrowd will try to get that information out there.

A first cost estimate

Based on the write-up from the crack of DOHB6DC7, I've done some back of the envelope calculations to help me assess the cost of cracking one of these three word passwords.

The team (s3inlc, winxp5421, blazer, and hops) only joined the effort after the second hint was offered,

After seeing that the second bit hint was released for the challenge, we calculated that worse case it would take us under 100 days to recover a single challenge hash. This made the challenge feasible and economically viable.

This makes some of the calculations much easier. Also note that their consideration did correctly include the risk of losing the race to someone else. They needed the prize to be worth much more than their actual costs, given the uncertainty of winning.

Keeping time, time, time in a sort of runic rhyme

We can simply multiply the amount of time it took them to find a result by 4 in order to see what the time would be without the hints. (Yes, there was some cost in making use of the hints, but I'm going to ignore those). They also found the password after searching through 18.71% of the keyspace, while on average a search of 50% of the keyspace is required. So I can multiply their total time by by 50/18.71 (2.67). So without the hints and without their good luck in finding a hit "early" I will multiply the work that they did by 10.69 (4 * 2.67).

So their cracking time of 17d 16:33:53 (424.5 hours) can be multiplied by our 10.69 to get the average time without the hints. So 4538 hours, which I will round down to 4500. (I tend to round in favor of the attacker as part of just being conservative as a defender.) This works out to be 187 days, which nicely rounds down to half a year.

Running costs

These rigs costed us approximately $16.24 per day to run.

I will take that "approximately" and round to 16USD per day.

Turning fixed costs into running costs

As they correctly say in their write-up there are fixed costs having to do with the gaining the expertise and experience needed to be able to do this. But like these winners, I am going to not include that in the calculations. It's certainly true that not anyone could do what they did, but there are probably enough organizations out there that could if they wanted to, that from a defender's point of view, I should ignore that cost.

Their estimate of the purchase price of the GPUs was 11,550 USD. But it's not as if they purchased those for this challenge and throw them away afterwards. We have to come to some guess at some amortization of that fixed cost to come up with some cost per day. Now we could go and examine prices of GPUs and their power over a period of time to try to figure that out. And if someone would like to do that, I will be very happy for what they come up with.

Until we have a more principled and data-driven number to go on, I'm just going to linearly amortize high-end GPUs over three years. So that makes the daily cost of those 11550/(3 * 365.4), which works out to $10.54 per day.

Total costs

If we add that to the other running costs, we get a total running cost of $26 per day (again rounding down).

If we take our average time to crack no-hint passwords fo this form at the 187 days we estimate above, that makes this $4862 to crack the average three word password generated from our list. With the hints, that total cost is cut in 4. But as the winners correctly said,

This may seem like a rather large difference in cost vs reward but, you must assess the risk of the challenge. Our group decided to select a single hash to attack instead of multiple. We are “putting all of our eggs into one basket” it's totally possible another group would find the same hash we are attacking and end up with nothing for our efforts.

This is why we tried to price the prizes at above what we (incorrectly) thought the costs would be.

To be continued

That is one way to do back of the envelope calculations on this. Next (in a separate comment) I will work on costs per N guesses. (Where N is a suitably large number that gives reasonable guesses.

Costs per (lots of) guesses

s3inlc, winxp5421, blazer, and hops report in their write-up of their successful cracking of challenge DOHB6DC7 that they maintained and average cracking rate of 209.85 kH/s. I'm not sure whether "kH" is 1000 hashes (guesses) or 1024 guesses. I'm going to go with the latter unless told otherwise.

This works out to about 2^34.11 guesses per day. Using the daily cost computation from my previous post, this makes the cost of making that many guesses $26. Now 2^34.11 isn't a very nice number, so let's pick a nearby round number like 2^32, which is 4.32, 2^(34.11 - 32), times smaller. This puts the cost of 2^32 guesses at $6.

There are 18328 words on our word list and we have three word passwords, so that means that there are 18328^3 possible solutions to go through. That is roughly 2^42.49. But on average an attacker should only have to go through half of those, so 2^41.49 guesses gives the attacker a 50% chance of finding the right one.

We want to know how many times 2^32 goes into 2^41.49 to how many times over the attacker needs to do 6 dollars of work. And we are reminded of why we look using logarithms so much; we can just subtract the exponents to do our division, and end up with 2^9.49. If it costs $6 to go through 2^32 guesses, it costs 6 times 2^9.49 dollars to go through half of the total search space.

So approximately $4300. This is within the same order of magnitude of the other computation, which involved different rounding at different points. This $6 per 2^32 guesses is tied to the specific key derivation method of 100,000 rounds PBKDF2-HMAC-256.

A reminder

And let me remind everyone that this challenge simulates the cost to an attacker who captures 1Password data from your own machine. This sort of attack is not feasible against data captured from 1Password.com. Without your Secret Key, part of our Two-Secret Key Derivation (2SKD), there is simply no way to launch a password guessing attack. Your Secret Key cannot be stolen from us (as we never have it in any form whatsoever), but it can be stolen from your systems by an attacker who gets the data from your system. This is why your Master Password remains important.

Another word

Now let's use the results above to see the cost of cracking a four word password. That keyspace would be 18328^4, or 2^56.65. Half of that keyspace (which the attacker would need to go through on average) is 2^55.65. 2^32 goes into that 2^23.65 times. And so at a cost of $6 for every 2^32 guesses, we would have the cost of an average guessing attack be $78,978,821. So roughly $79 million to guess a four word Master Password.

I believe Hashcat uses 1,000 as the base, at least according to what has been previously mentioned on their forums. For those attempting multiple hashes, note that this value is typically divided among the number of uncracked unique salts being attempted.

@jpgoldberg nice calculations, it's interesting to see the other side. But surprising that you have a dictionary of 18328 words, we used one with 18436 (maybe an older one with all the bad words which you removed later).
As far as I know, @TuxToaster is right that Hashcat uses 1'000 as base for the hash speed.

Thank you @TuxToaster and @s3inlc. I will go with 1000. It probably doesn't make a difference given the rounding I'm doing anyway.

But surprising that you have a dictionary of 18328 words, we used one with 18436 (maybe an older one with all the bad words which you removed later).

I think I failed to make it clear in the initial documentation that the wordlist is the one in the doc folder in the repo. So you did search a larger space than necessary. Sorry about that.

We do, on occasion, remove words from the list, and so I wanted to include the list that was used to generate the challenges publicly. It would have been really unfortunate if one of the solutions had a word that we removed after a participant fetch the list. Fortunately, it's been a very long time since we ever added a word, but the next time I retrieve the solution file (it's kept securely on removable media) I will have to check that none of the (very few) words that we've added are among the solutions.

I almost didn't keep a copy of the solutions at all. But it turns out that it is good that I did, as I wouldn't have been able to create the hints without it. I really couldn't see us doubling the prizes another two times.

Thanks, nice to hear that you liked the writeup. Regarding challenge 2SB5OP3G there won't be a full writeup, because we proceeded the same way as for the previous one (except that there was no mistake with the hash import).

World password cracking day, good to share, I used to read an article about hackers cracking passwords, involving too wide range of computer skills, but I have tried some simple skills on my computer,the first time it took me 10h to crack the password (I know it was stupid),similar to command prompt,this is not an easy job.

What is really interesting about their description of their efforts is that they are new to password cracking. They made a couple of false starts (generating candidates too slowly, not realizing that the word list was made public), but did get there in the end. They take home 4096 USD.

I've take a brief look, and I don't think that this changes estimates of costs. (See previous discussion of estimates.)

I will be traveling in the second half of January. So I will either be able to write stuff up in coming week, or my analysis will have to wait until February.

A huge "thank you" to all!

This has been an amazing learning experience for everyone. Although no further prize will be on offer, I will see if I can produce some more hints so that people can continue to play with the remaining three for their own learning.

I hope to have more to say "soon", but that might be sometime into February.

I think it would be useful to revisit what time for a four word password is expected to take now that you have real world data. At the nominal cost, what is the break even cost for the cracker for four words, for five? Finally with things being appropriated remotely, are those remote crackers likely to have better hardware and thus significantly shorter time than this challenge forecasts?

While your traveling, perhaps a blog post summary reviewing the findings and impressions of the current state of what is secure and what this current effort means???? That would be nice, if you have nothing else to do and are stuck in an airport somewhere with literally nothing else to do!

Just read their decryption... maybe next time more folks with gear will participate. They are not evil masterminds and seems they were just curious and optimistic ($$) how it would work... and really? 6 GTX 1070 so about 30 GPU months with the hints? (I wonder if that is a fair metric)

So I am a little late to the party... but what the... I just started today and thought I would try to crack one of the passwords that have already been cracked. My issue is that I can not seem to get the combinator to work in Hashcat for more than two dictionaries. I have installed the required files am using the following to test